Navigating AI Risks

Three AI recruiters look at the same 109 CVs. They agree only 14% of the time. That’s not the start of a joke. And that's not efficiency. That’s what I call 'Rank Roulette'. When I tested ChatGPT, Gemini and Grok against the same job spec and anonymised CV set, here’s what happened: • 14% overlap in shortlists → Four times out of five, the models disagreed. • ±2.5 places volatility → Yesterday’s #2 became today’s #5. • 55% of CVs never surfaced → Candidates vanished with no audit trail. • 96% recycled rationales → Fluent, but shallow logic. We’re told by vendors and in-house 'tinkerers' that LLMs can “shortlist in seconds”. The truth: they behave more like over-confident interns - smooth on the surface, but shockingly inconsistent. And the worst part? It’s not even random. In a follow-up piece, I explored why this happens: a technical quirk called batch non-determinism. In plain English: your candidate’s fate changes depending on what else the server was processing at that moment. Until volatility is tamed, hands-off AI screening with LLMs is more than risky. It’s completely unexplainable, indefensible and a governance nightmare. Go to the comments for 👉 Full research 👉 Follow-up on why AI recruiters play favourites

Your AI recruiting agent or use case might be brilliant. It might also be illegal. If your AI screens, ranks, or evaluates candidates - you're operating in an increasingly actively regulated environment. And not just in the US. NYC requires annual bias audits. Illinois requires notice. California requires 4-year data retention. Colorado requires impact assessments with $20,000 per violation penalties. The EU classifies all recruiting AI as high-risk. South Korea's AI Basic Act explicitly lists hiring as high-impact. Brazil and Chile have GDPR-style rights against automated employment decisions. Singapore's Workplace Fairness Act covers AI-driven hiring decisions. This isn't a US-and-EU issue. It's global. Something else you need to look out for - your compliance is only as strong as the gap between your published AI notice and what your people actually do. A recruiter pastes a resume into ChatGPT on a busy Tuesday. Or simply uses their company-approved solution in a way that wasn't approved. That tool/use case hasn't been audited. There's no notice. No audit trail. The employer is still liable. I wrote a full breakdown of the regulatory landscape - US, EU, and the global wave most people don't see coming - and what TA teams need to do about it. Check it out 👇

📢 What are the risks from Artificial Intelligence? We present the AI Risk Repository: a comprehensive living database of 700+ risks extracted, with quotes and page numbers, from 43(!) taxonomies. To categorize the identified risks, we adapt two existing frameworks into taxonomies. Our Causal Taxonomy categorizes risks based on three factors: the Entity involved, the Intent behind the risk, and the Timing of its occurrence. Our Domain Taxonomy categorizes AI risks into 7 broad domains and 23 more specific subdomains. For example, 'Misinformation' is one of the domains, while 'False or misleading information' is one of its subdomains. 💡 Four insights from our analysis: 1️⃣ 51% of the risks extracted were attributed to AI systems, while 34% were attributed to humans. Slightly more risks were presented as being unintentional (37%) than intentional (35%). Six times more risks were presented as occurring after (65%) than before deployment (10%). 2️⃣ Existing risk frameworks vary widely in scope. On average, each framework addresses only 34% of the risk subdomains we identified. The most comprehensive framework covers 70% of these subdomains. However, nearly a quarter of the frameworks cover less than 20% of the subdomains. 3️⃣ Several subdomains, such as *Unfair discrimination and misrepresentation* (mentioned in 63% of documents); *Compromise of privacy* (61%); and *Cyberattacks, weapon development or use, and mass harm* (54%) are frequently discussed. 4️⃣ Others such as *AI welfare and rights* (2%), *Competitive dynamics* (12%), and *Pollution of information ecosystem and loss of consensus reality* (12%) were rarely discussed. 🔗 How can you engage?   Visit our website, explore the repository, read our preprint, offer feedback, or suggest missing resources or risks (see links in comments). 🙏 Please help us spread the word by sharing this with anyone relevant. Thanks to everyone involved: Alexander Saeri, Jess Graham 🔸, Emily Grundy, Michael Noetel 🔸, Risto Uuk, Soroush J. Pour, James Dao, Stephen Casper, and Neil Thompson. #AI #technology

Every AI failure you've read about traces back to one of these risks. Not a bug. Not bad luck. A known, named, predictable category of risk that every AI team should already be tracking. Here's the AI Risk Periodic Table, mapped across 10 categories every founder, product leader, and enterprise team needs to understand. 𝟭. 𝗠𝗼𝗱𝗲𝗹 𝗥𝗶𝘀𝗸𝘀 Hallucination, bias, drift, overfitting, underfitting, error propagation. The model itself fails before anyone touches it. 𝟮. 𝗗𝗮𝘁𝗮 𝗥𝗶𝘀𝗸𝘀 Mislabeling, source risk, synthetic data risk, duplicate data, data leakage, consent risk, quality loss. Bad data breaks good models. 𝟯. 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗥𝗶𝘀𝗸𝘀 Jailbreaks, prompt injection, adversarial attacks, API abuse, token theft, supply chain risk. Every AI system is a new attack surface. 𝟰. 𝗚𝗼𝘃𝗲𝗿𝗻𝗮𝗻𝗰𝗲 𝗮𝗻𝗱 𝗖𝗼𝗺𝗽𝗹𝗶𝗮𝗻𝗰𝗲 Governance failure, compliance risk, regulatory risk, policy failure, ownership gap, explainability gap. The stuff that gets companies fined or sued. 𝟱. 𝗢𝗽𝗲𝗿𝗮𝘁𝗶𝗼𝗻𝗮𝗹 𝗥𝗶𝘀𝗸𝘀 Scaling, cost overrun, latency, deployment, documentation, integration, rollback gaps. Where production AI quietly bleeds money. 𝟲. 𝗕𝘂𝘀𝗶𝗻𝗲𝘀𝘀 𝗮𝗻𝗱 𝗥𝗲𝗽𝘂𝘁𝗮𝘁𝗶𝗼𝗻 𝗥𝗶𝘀𝗸𝘀 Reliability, reputation, customer trust loss, revenue impact, ROI failure, strategy misalignment. The risks the CFO cares about most. 𝟳. 𝗛𝘂𝗺𝗮𝗻 𝗮𝗻𝗱 𝗘𝘁𝗵𝗶𝗰𝗮𝗹 𝗥𝗶𝘀𝗸𝘀 Fairness, trust gap, ethical risk, automation bias, job displacement fear. The risks that decide whether anyone actually uses your AI. 𝟴. 𝗠𝗼𝗻𝗶𝘁𝗼𝗿𝗶𝗻𝗴 𝗮𝗻𝗱 𝗖𝗼𝗻𝘁𝗿𝗼𝗹 Monitoring gaps, audit gaps, alert failure, logging gap, metric blindness, validation gaps. If you can't see it, you can't fix it. 𝟵. 𝗔𝗴𝗲𝗻𝘁𝗶𝗰 𝗔𝗜 𝗥𝗶𝘀𝗸𝘀 Agent autonomy risk, tool misuse, memory risk, goal misalignment, delegation risk, multi-agent failure, loop failure. The newest, most underestimated category in 2026. 𝟭𝟬. 𝗙𝗮𝗶𝗹-𝗦𝗮𝗳𝗲 𝗥𝗶𝘀𝗸𝘀 Kill switch gap, feedback gap, evaluation failure, red teaming gap. The layer that decides whether AI fails gracefully or catastrophically. 𝗧𝗵𝗲 𝗯𝗶𝗴 𝗶𝗱𝗲𝗮: Most AI teams worry about hallucinations. The best teams worry about all 70+ of these, with a system to monitor each one. AI isn't risky because it's new. It's risky because most teams have never mapped its risks. This table is that map. Which risk is your team underestimating right now? Repost to help another AI leader plan smarter.

Are you a legal or compliance team member responsible for reviewing new AI vendor tools but struggling with bandwidth to do so? Then this post is for you. Internal requests to legal and compliance teams to approve new AI vendors are overwhelming - every tech vendor now has some form of AI functionality, and if the internal mandate is "all new AI must be reviewed and approved", then legal and compliance teams simply won't have enough hours in the day. Necessity therefore breeds an uncomfortable compromise - legal and compliance teams are forced to create simple gating rules that ensure the most risky AI tools still get escalated to them for their review, while lower risk AI tools get waived through without formal review. If you find yourself in that difficult position, and can ask only a handful of key gating questions to the business or vendor, what should they be? For most commercial organisations, I'd suggest the five questions set out in the diagram below. The first two are self-explanatory - though, of course, if you're asking this of business colleagues rather than the AI vendor directly, you'll need to give them a simple list of what is prohibited or high risk for them to check against. The third question aims to ensure that the AI vendor processes your data only as a processor - and that it doesn't use confidential, commercially sensitive, proprietary or personal data to train its models, with the risk that the AI's outputs will regurgitate your data to others. The fourth question is oriented towards detecting agentic AI use cases - specifically those that will make autonomous decisions in the sense of the GDPR - i.e. those that have legal or significant effects on people, necessarily requiring closer review and scrutiny. The final question tries to address the biggest B2B risk of using genAI tools - namely that they (or their outputs) gets used for external-facing purposes, such as integration into customer products, interacting with customers through chatbots, or writing content for websites. Purely internal use of genAI, while not without its risks, raises lower concerns in most commercial cases. Yes, of course there are holes you can pick in this risk-managed approach - but the simple reality is that most legal and compliance teams don't have the luxury of infinite time, budget or headcounts to review every AI tool the business wants to use, and need to do the best they can with limited resources. If you find yourself in this position, then these questions will hopefully throw you a lifeline!

This week I found four papers on Google Scholar “written” by me and my co-authors. Except we didn’t write them. They were AI-generated fake citations. I see multiple risks associated with that happening: - Misinformation risks if fakes get referenced further, in academic research, policy, funding proposals, or practical guidelines. Especially in fields that impact people’s lives directly. - Erosion of trust in academic research: real research becomes harder to find; claims are harder to verify. - Collateral damage to journals that never published the research but are now cited as if they did. - Distorted journal and author metrics: fake citations inflate impact factors, h-indexes, and other performance indicators. - Reputational harm to the real authors falsely cited. - Legal exposure if harmful claims are falsely attributed to you. The same way countries are trying to figure out how to protect voices and faces to fight deepfakes and artworks to fight copyright fraud, we need knowledge and author protection in academic publishing. Until then, document and report such cases - because the more visible we make this problem, the harder it will be ignored. What else can be done? Have it ever happened to you? #academicintegrity #academia #informationsystems Electronic Markets - The International Journal on Networked Business Journal of Information Technology (JIT)

On August 1, 2024, the European Union's AI Act came into force, bringing in new regulations that will impact how AI technologies are developed and used within the E.U., with far-reaching implications for U.S. businesses. The AI Act represents a significant shift in how artificial intelligence is regulated within the European Union, setting standards to ensure that AI systems are ethical, transparent, and aligned with fundamental rights. This new regulatory landscape demands careful attention for U.S. companies that operate in the E.U. or work with E.U. partners. Compliance is not just about avoiding penalties; it's an opportunity to strengthen your business by building trust and demonstrating a commitment to ethical AI practices. This guide provides a detailed look at the key steps to navigate the AI Act and how your business can turn compliance into a competitive advantage. 🔍 Comprehensive AI Audit: Begin with thoroughly auditing your AI systems to identify those under the AI Act’s jurisdiction. This involves documenting how each AI application functions and its data flow and ensuring you understand the regulatory requirements that apply. 🛡️ Understanding Risk Levels: The AI Act categorizes AI systems into four risk levels: minimal, limited, high, and unacceptable. Your business needs to accurately classify each AI application to determine the necessary compliance measures, particularly those deemed high-risk, requiring more stringent controls. 📋 Implementing Robust Compliance Measures: For high-risk AI applications, detailed compliance protocols are crucial. These include regular testing for fairness and accuracy, ensuring transparency in AI-driven decisions, and providing clear information to users about how their data is used. 👥 Establishing a Dedicated Compliance Team: Create a specialized team to manage AI compliance efforts. This team should regularly review AI systems, update protocols in line with evolving regulations, and ensure that all staff are trained on the AI Act's requirements. 🌍 Leveraging Compliance as a Competitive Advantage: Compliance with the AI Act can enhance your business's reputation by building trust with customers and partners. By prioritizing transparency, security, and ethical AI practices, your company can stand out as a leader in responsible AI use, fostering stronger relationships and driving long-term success. #AI #AIACT #Compliance #EthicalAI #EURegulations #AIRegulation #TechCompliance #ArtificialIntelligence #BusinessStrategy #Innovation 

Yesterday I watched AI fail in front of 15,000 developers. At WeAreDevelopers, one of Europe’s biggest dev conferences, GitHub engineers tried something bold: A live demo of GitHub’s new AI coding agents. We all leaned in. First run? It hung. The presenter had to restart. Second try? It generated code… but with an error. No worries — he copied the error into the prompt and asked AI to fix it. Failed again. Then again. And again. After 5 retries, he gave up. And I think 15,000 of us were collectively sweating for him. But here’s the thing: They came to prove that 90% of your code can be written by AI. Instead, they accidentally proved something more valuable: AI can write code. But it can’t (yet) understand your intent, your domain knowledge, or the real problem behind a feature request. Without a developer behind the wheel, AI is just guessing. And guessing doesn’t scale. AI will be a superpower — but only for those who already know how to code. Not a replacement. A multiplier. Let’s stop pretending otherwise. What do you think — are we too quick to put AI in the driver’s seat?

AI success isn’t just about innovation - it’s about governance, trust, and accountability. I've seen too many promising AI projects stall because these foundational policies were an afterthought, not a priority. Learn from those mistakes. Here are the 16 foundational AI policies that every enterprise should implement: ➞ 1. Data Privacy: Prevent sensitive data from leaking into prompts or models. Classify data (Public, Internal, Confidential) before AI usage. ➞ 2. Access Control: Stop unauthorized access to AI systems. Use role-based access and least-privilege principles for all AI tools. ➞ 3. Model Usage: Ensure teams use only approved AI models. Maintain an internal “model catalog” with ownership and review logs. ➞ 4. Prompt Handling: Block confidential information from leaking through prompts. Use redaction and filters to sanitize inputs automatically. ➞ 5. Data Retention: Keep your AI logs compliant and secure. Define deletion timelines for logs, outputs, and prompts. ➞ 6. AI Security: Prevent prompt injection and jailbreaks. Run adversarial testing before deploying AI systems. ➞ 7. Human-in-the-Loop: Add human oversight to avoid irreversible AI errors. Set approval steps for critical or sensitive AI actions. ➞ 8. Explainability: Justify AI-driven decisions transparently. Require “why this output” traceability for regulated workflows. ➞ 9. Audit Logging: Without logs, you can’t debug or prove compliance. Log every prompt, model, output, and decision event. ➞ 10. Bias & Fairness: Avoid biased AI outputs that harm users or breach laws. Run fairness testing across diverse user groups and use cases. ➞ 11. Model Evaluation: Don’t let “good-looking” models fail in production. Use pre-defined benchmarks before deployment. ➞ 12. Monitoring & Drift: Models degrade silently over time. Track performance drift metrics weekly to maintain reliability. ➞ 13. Vendor Governance: External AI providers can introduce hidden risks. Perform security and privacy reviews before onboarding vendors. ➞ 14. IP Protection: Protect internal IP from external model exposure. Define what data cannot be shared with third-party AI tools. ➞ 15. Incident Response: Every AI failure needs a containment plan. Create a “kill switch” and escalation playbook for quick action. ➞ 16. Responsible AI: Ensure AI is built and used ethically. Publish internal AI principles and enforce them in reviews. AI without policy is chaos. Strong governance isn’t bureaucracy - it’s your competitive edge in the AI era. 🔁 Repost if you're building for the real world, not just connected demos. ➕ Follow Nick Tudor for more insights on AI + IoT that actually ship.